MICROSOFT 365 ENTERPRISE SECURITY …

[Pages:17]MICROSOFT 365 ENTERPRISE

SECURITY ASSESSMENT PLAYBOOK

A field guide and toolkit for assessing the security quality of Microsoft 365 Enterprise deployments and operations

SEPTEMBER 2020

A playbook by RIskRecon, Inc. | WWW.

TABLE OF CONTENTS

INTRODUCTION

3

THE MICROSOFT 365 SECURITY CRITERIA

4

Authentication 5 Account Management 9 Service Configuration12

ABOUT RISKRECON

15

COPYRIGHT AND LEGAL DISCLAIMER

16

WWW.

INTRODUCTION

Like many cloud services, the Microsoft 365 Enterprise (formerly Office 365) core value proposition is also the security challenge. "Office 365 and Microsoft 365 Apps enables you to create, share, and collaborate from anywhere on any device with a cloud-based suite of productivity apps and services." 1 Extending the challenge further, all of the related data is centrally stored in OneDrive, which Microsoft describes as providing the ability to "access files from any device, at any time." 1

Even if your enterprise is not operating on Microsoft 365, no doubt a large percentage of your vendors are. Correct security configuration and operation of Microsoft 365 by you and your third parties is critical to protecting your risk interests.

To aid you in assessing the security of Microsoft 365 deployments in your own organization and by your third-party providers, RiskRecon has developed the Microsoft 365 Enterprise Assessment Playbook. This Playbook provides a step-by-step methodology for assessing the quality of the essential security configurations of any Microsoft 365 Enterprise deployment.

Here you will find essential Microsoft 365 security assessment security criteria, explanations of the importance of each criteria, how to gather related evidence, and what proper configuration looks like. RiskRecon's Microsoft 365 Security Assessment Questionnaire accompanies this Playbook, providing you tools to assess the security of third-party deployment.

Third-party security assessments founded on objective evidence are the most effective way to achieve good risk outcomes. This Microsoft 365 Third-Party Assessment Playbook and the accompanying Questionnaire do just that - they help you achieve better risk outcomes by providing you the knowledge and tools for objectively assessing the security quality of any Microsoft 365 deployment.

ACKNOWLEDGEMENTS

The Microsoft 365 Assessment Playbook was developed

enterprise and your third-party cybersecurity risk.

by experts in the fields of cloud security and third-party cybersecurity assessment from RiskRecon and Stratum Security. The project was led by Jonathan Ehret, a widely known third-party risk expert and RiskRecon's Vice President of Strategy and Risk. RiskRecon provides automated risk assessment and workflow technology

Stratum Security provided additional subject matter expertise, developing the draft security assessment criteria. STRATUM SECURITY is a Washington D.C.based security consulting firm that specializes in web application and cloud security assessments.

that make it easy to understand and act on your own 3

1. Retrieved from on 8/31/2020

WWW.

THE MICROSOFT 365 SECURITY CRITERIA

While Microsoft 365 provides an expansive set of capabilities, the core security controls boil down to a pretty short set of essential controls. This is achieved through Microsoft's unified identity and access management architecture. While the control list is short, getting the configurations right is critically important. Microsoft 365's default configuration is pretty promiscuous. These default settings include allowing non-privileged users to invite guest users to the organization's Azure AD and default file sharing settings.

THE ASSESSMENT CRITERIA

The Microsoft 365 Security Criteria covers three security domains. Each domain contains one or more security criterion. Each criterion is presented as follows:

? ID - The unique criterion identifier. This maps to the associated questionnaire.

? Acceptable responses - A listing of the configuration states that meet the criterion requirements.

? Criterion - The assessment criterion, phrased as a question.

? Failure responses - A listing of the configuration states that do not meet the criterion requirements.

? Why this is important - An explanation of why the criterion is important for securing the Microsoft 365 deployment.

? More info - A hyperlink to additional information related to the criterion.

? Validation steps - A description of how to collect the evidence necessary to assess compliance with the criterion.

THE QUESTIONNAIRE

We've instantiated this Criteria in a security questionnaire. Please feel free to use the questionnaire to assess the security of your vendor's Microsoft 365 deployments. Send it over to your vendors to fill out, or ask the questions over the phone. As you do this, you will get much greater transparency into an important component of their security program. You will also get greater accountability to securing the environment right, because generic responses like "Yes, we do Identity and Access Management stuff" isn't going to fly.

4

WWW.

The microsoft 365 security criteria

AUTHENTICATION

WHAT Identity and Access Management is centered around Azure AD and is arguably the most sensitive component within the Microsoft 365 ecosystem. Azure AD also allows organizations to synchronize their on-prem Active Directory with Azure AD, allowing authentication with other external services.

WHY Azure AD is a feature-rich identity and access management system that can be complex, depending on the organization's configuration. Additionally, if the organization synchronizes their on-prem Active Directory to Azure AD, it is possible to expose internal domain objects to external threats. As such, a wellplanned and properly secured Azure AD configuration is critical.

ID: o365 - 1: Are users configured with multi-factor authentication?

WHY IS THIS IMPORTANT? Multi-factor authentication is a critical security control that protects organizations from password attacks such as password guessing and credential theft. If a Microsoft 365 user account is compromised, an attacker may gain access to the user's emails, files, chat history, and other sensitive data.

BACKGROUND Microsoft 365 provides organizations multi-factor authentication through two different features: ? Azure MFA for Microsoft 365 ? Basic but effective multi-factor authentication available in all Microsoft 365

subscriptions ? Microsoft Azure Conditional Access ? Feature-rich and granular multi-factor authentication enforcement available

Azure MFA for Microsoft 365 provides basic multi-factor authentication and is implemented via the Microsoft 365 user management interface. There are three multi-factor authentication settings that can be applied to each user: ? Disabled ? The user is not allowed to self-enroll or use multi-factor authentication ? Enabled ? The user may enroll in and use multi-factor authentication ? Enforced ? The user must enroll in and use multi-factor authentication Microsoft Azure Conditional Access is an Azure AD Premium P1/P2 feature that allows organizations to define granular user access policies, including which users need to use multi-factor to be granted access to Microsoft 365 resources.

VALIDATION STEPS Access the Multifactor Authentication screen by: 1. Navigate to 2. Access the "Users" menu, then select "Active users" 3. Click the "Multi-factor authentication" menu item 4. Inspect the value in the "Multi-factor Auth Status" column for each user. 5. Confirm whether each user is configured with the "Enforced" value.

The microsoft 365 security criteria

5 WWW.

For Azure MFA for Microsoft 365, the following URL and screenshot can help validate the response:

The microsoft 365 security criteria

Figure 1: Screenshot showing the users within the organization are configured with a multi-factor status of "Enforced"

ACCEPTABLE RESPONSE(S)

? All users are configured with a multi-factor status of "Enforced".

FAILURE RESPONSE(S)

? Multiple users are configured with a multi-factor status of Disabled.

? Multiple users are configured with a multi-factor status of Enabled.

MICROSOFT AZURE CONDITIONAL ACCESS

VALIDATION STEPS From the Azure Portal, access the Azure Active Directory interface. Then, access the Security menu, and then Conditional Access Policies screen and view the tenant's Conditional Access policies. Identify if a policy is enabled (State column should show "On") that requires multi-factor authentication for all users within the organization. The screenshot below shows a Conditional Access Policy named Enforce MFA that is assigned to a group called Company Employees.

6 WWW.

The microsoft 365 security criteria

Figure 2: Screenshot of a Conditional Access rule (Enforce MFA) that requires that all users within the "Company Employees" group is required to use multi-factor authentication For Azure MFA for Microsoft 365, the following URL and screenshot can help validate the response:

Figure 3: Screenshot of a Conditional Access rule that requires that all users within the "Company Employees" group is required to use multi-factor authentication.

7 WWW.

ACCEPTABLE RESPONSE(S)

? A Conditional Access rule for all employees is configured and enforced that only grants access to Microsoft 365 via multi-factor authentication. (Note: some service or non-user accounts may not have multi-factor authentication configured).

FAILURE RESPONSE(S)

? The policy is not enabled ? Not all users are assigned to the Conditional Access

policy ? The policy does not require multi-factor

authentication to access to Microsoft 365

FURTHER INFORMATION: ? How it works: Azure Multi-Factor Authentication



? What is Conditional Access?



ID: o365 - 2:

If the organization's on-prem Active Directory is synchronized with Azure Active Directory, are only necessary objects synchronized?

WHY IS THIS IMPORTANT? If an organization is synchronizing their on-prem Active Directory with Azure Active Directory (Azure AD), it is a good indicator that the organization's IT environment is complex enough to justify cloud authentication. Organizations will commonly synchronize their on-prem AD with Azure AD to allow users to authenticate via public cloud SaaS applications and to ease the administrative burden of managing users across a portfolio of cloud services. However, it is a best security practice to only sync those AD objects that require use within Azure AD (e.g. on-prem service accounts that only access on-prem resources should not be synchronized, whereas user accounts should be synchronized). As such, examine the objects within Azure AD to determine if the organization is synchronizing the appropriate objects.

VALIDATION STEPS View all users within the Azure AD Users screen and identify on-prem resources:

1. Navigate to and select Azure AD.

2. From the "Manage" menu on the left, select "Users"

3. Identify any user accounts that appear to be on-prem users.

4. Hint: Look for usernames containing words that indicate the account is for internal / on-premise purposes only, such as: backup, firewall, duo, nessus, audit, IWAM_*, IUSR_*.

ACCEPTABLE RESPONSE(S)

? Evidence that indicates that not all on-prem AD users have been syncronized to Azure AD.

FAILURE RESPONSE(S)

? Evidence that all on-prem user accounts have been syncronized to Azure AD.

The microsoft 365 security criteria

8 WWW.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download